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Abstract 

Since the first appearance in Fridrich’s design, the usage of permutation-diffusion structure for designing digital image 
cryptosystem has been receiving increasing research attention in the field of chaos-based cryptography. Recently, a novel 
chaotic Image Cipher using one round Modified Permutation-Diffusion pattern (ICMPD) was proposed. Unlike traditional 
permutation-diffusion structure, the permutation is operated on bit level instead of pixel level and the diffusion is operated on 
masked pixels, which are obtained by carrying out the classical affine cipher, instead of plain pixels in ICMPD. Following a 
divide-and-conquer strategy, this paper reports that ICMPD can be compromised by a chosen-plaintext attack efficiently and 
the involved data complexity is linear to the size of the plain-image. Moreover, the relationship between the cryptographic 
kernel at the diffusion stage of ICMPD and modulo addition then XORing is explored thoroughly. 
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1. Introduction 

In the field of chaos-based cryptography, Fridrich’s design fl}], we refer to it as permutation-diffusion structure in this 
paper, receives remarkable research attention |2l [3114{, [.3,10. iTD ■ Inheriting from the substitution permutation network, this 
scheme suggests iterating the permutation and diffusion stage several rounds to earn good confusion and diffusion effect fsj], 
as depicted in Fig.Q] 

Extending the work of Fridrich’s can be carried out in various aspects. Chen et al. proposed using 3D chaotic cat 
map to de-correlate the relationship among pixels in the permutation stage instead of 2D map J2], Observing that one 
diffusion round, which typically proceeds in a sequential manner and involves nonlinear operations, often possesses higher 
computational complexity than that of a permutation round, Wong et al. proposed to use a “add-and-then-shift” strategy 
to include some diffusion effect in the permutation stage Hi- In this way, the iteration round as well as the computational 
complexity can be reduced without affecting the security level of the resultant cryptosystem. This idea was further studied 
by Zhu et al. in 0J to design bit level permutation techniques. 

For the sake of efficiency, there are some researchers devoted their attention to design secure chaos-based cryptosystem 
in the extreme case, i.e., the iteration round is only one. In Q], Zhang et al. proposed a chaos-based image cipher based on 
one round permutation-diffusion structure, where some plaintext information is fed back to the key schedule. In @], Norouzi 
et al. suggested correlating the key schedule with the sum of plaintext data to construct chaotic cipher with a single diffusion 
round. The intuitive extension of their work is to include a permutation stage in the whole system, as suggested by Yang et 
al. in 0], In |@1, Zhu et al. suggested a chaotic Image Cipher using one round Modified Permutation-Diffusion (ICMPD) 
architecture. Different from Fridrich’s design, the permutation stage is operated on bit level instead of pixel level and the 
diffusion stage is operated on the output of classical affine cipher instead of plain pixel. 
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As stated in JH, most image cryptosystems based on one round permutation-diffusion architecture are not secure under 
chosen plaintext attack (CPA) scenario. This paper reports that ICMPD suffers from the same defect. Unlike many cryptanal¬ 
ysis work which only deal with specific chaos-based image cryptosystem 11, 12, 131, this work makes several contributions. 
First, we provide a quantitative security evaluation framework to both the diffusion kernel of ICMPD and the classical mod¬ 
ulo then XORing operation. Second, we report that employment of the nonlinear modulo operation will inevitably leads to 
the problem of the existence of (partial equivalent) key streams in the one round permutation-diffusion structure. Finally, 
the application of our result lead to an efficient CPA attack to ICMPD. This is a reproducible research and all the codes are 
openly accessible]]} 

The rest of the paper is organized as follows. The next section describes the details of ICMPD and then provides some 
experimental results for illustration. In Sec. 3, the diffusion kernel of ICMPD is casted to the form of modulo then XORing 
and analyzed thoroughly. Sec. 4 explains how to break ICMPD using a divide-and-conquer strategy in CPA scenario, 
followed by some simulation results. The last section concludes our work by briefly discussing the possible remedies of 
ICMPD. 


2. The image encryption scheme under study 

The image encryption scheme proposed in @], i.e., ICMPD, is applied to gray-scale image with L = H x W pixels. It 
exploits the permutation-diffusion structure suggested by Fridrich [ 7 ]] with the following two modifications: a) the permuta¬ 
tion is operated on bits instead of pixels; b) the diffusion is operated on masked pixels instead of plain pixels. For the sake 
of clarity, we depict the schematic diagram of ICMPD in Fig.[2]and modify the notations used in [91] to describe the scheme 
under study. 


2.1. Key schedule 

The secret key of ICMPD is composed of a set of initial values and control parameters for several chaotic systems. 
Specifically, they are: 

• Initial value (xq, yo) and control parameters (a, b ) of the following generalized Arnold map 
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y n I 


(1) 


where a > 1, b > 1 and (x mod 1) represents the fractional part of real number x. 

• Two sets of initial value and control parameter, i.e., {(£', x'.), (k°, x/j], of the following Chebyshev map 


x„+i = cos(k • arccos(x„)), 


( 2 ) 


where k <2 and x„ e [-1,1]. 

• Initial value and control parameter (/r, x®) of the following Logistic map 

x„+i = /rx„(l - x n ), (3) 


where // e (3.57,4) and x„ e (0,1). 

The secret key streams employed in the row/column permutation stage, substitution stage and diffusion stage are obtained 
through post-processing the chaotic systems orbits. These processes can be summarized as follows: 

1. Permutation streams E r and E c . Iterate the generalized Arnold map (Q} using the partial key (xo, yo, a, b) ho + 8 L times 
and denote the latter 8 L outputs by X - {x,}^ and Y = {y, . Sort X and Y in ascending order and get the permutation 

streams E r = {e r {i)'ifx ] and E c = {e c (0} 8 =i by comparing X and Y with their sorted versions, respectively. 


1 https://sites.google.com/site/leoyuzhang/. 
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2. Substitution streams S and T. Run the Chebyshev map ([2} iteratively through (k',x' Q ) and post-process the resultant 
orbit X/ by 

y, = L10 9 • |x,|J mod 256, (4) 

where \x\ and |_xj return the absolute value of x and the largest value not larger than x, respectively. If gcd(v,, 256) = 1, 
we push this value to S. Otherwise, we proceed with the next orbit x,+ i till the length of S reaches L. Finally, it comes 
to the conclusion that we obtain a random number stream S = { s(i)}b_ v whose elements are coprime to 256. Similarly, 
run Eq. (|2} under (k'', x' Q ) and get {x®}^. Quantize the result using Eq. (0 and obtain T = \t(i)) l j=] . 

3. Diffusion stream R. Execute the Logistic map 0 under (/j,Xq) iteratively and obtain random chaotic orbits (x* }f , . 
Quantize the sequences by Eq. © and denote the results by R = {r(i)} l i=l . 

2.2. Encryption process 

As depicted in Fig. [2] the encryption process in ICMPD is composed of the following steps: 

1. Bit decomposition. Scan an image P in the raster order and obtain a pixel sequence {/?(;) . Decompose each pixel 

of P to its 8 bits and denote the binary sequence by B - { b(j )}^ p where p(i) = b(8(i - 1) + k) • 2 k ~ l . 

2. Bit permutatioiQ Permute the binary format of the image B in both horizontal and vertical directions and get B = 

via 

b(j) = b(e c (e r (M. (5) 

3. Local pixel substitution. Combine every 8-bit of B to a new pixel sequentially using 

8 

p , (i) = Y J mi-\) + k)-2 k -' (6) 

k= 1 

where i = 1 ~ L. The obtained pixels are substituted using the affine cipher orderly, i.e., 

c'(0 = p'(i)s(i) + t(i), (7) 


where a + b - (a + b) mod 2 8 . 

4. Global pixel diffusion. Collect the substitution result C' = {c'(/)}f =1 and update it by the classical diffusion rule as 
follows 

c(i) = c'(i) ffi r(i) © c(i - 1), (8) 

where c(0) = 172 and i = 1 ~ L. Finally, transform the ciphertext sequence C = {c(i)\ l i=] into an image of size H xW. 

The decryption can be achieved by executing the encryption steps reversely, detailed description can be found in |§ s 
Sec. 3]. As demonstrated by Zhu et al. in [9, Sec. 4], the new scheme should possess high security since: 1) the key 
space is large enough to resist brute-force attack; 2) the adoption of multiple chaotic systems for the generation of key 
streams guarantees good key sensitivity; 3) the modified permutation-diffusion architecture introduces diffusion effect in 
both permutation and diffusion stage, which may frustrate any plaintext attacks. For illustration purpose, we set the secret 
key (x 0 ,yQ,a,b,k',x[ r k <> ,xl,p,x* 0 ) to ( 0 . 346 , 0 . 478 , 1 . 644 , 2 . 986 , 4 . 434 , 0 . 6435 , 5 . 673 , 0 . 523 , 3 . 14 , 0 . 34 ). Two 128 X 128 plain- 
images, “Lena” and “Peppers”, shown in Fig. |3(a)| and Fig. |3(b)| are encrypted and their corresponding cipher-images are 
depicted in Fig. |3(c)| and Fig. |3(d)| 

As we will discuss in the next section, the local pixel substitution and global pixel diffusion, which serves as the core of 
the nonlinear diffusion stage of the modified architecture, can be treated as the generalization of a typical modulo addition 
then XORing operation and is fragile in chosen-plaintext attack (CPA) scenario. Based on this finding, a CPA is readily to 
compromise the cipher under study using the divide-and-conquer strategy. 


2 For simplicity, we slightly modify the permutation techniques described in Si while keeping its security level unchanged. 
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3. Related work and main results 


The modulo addition then XORing operation, which is nonlinear and has low computational complexity, serves as the 
fundamental or even the only component in many image cryptosystems 0 0 El El 0 H. Mathematically, it can be 
expressed as 

c(0 = (p(i) + k{i )) © k(i) © c(i - 1), (9) 

where k(i) is the t-th element of the key stream K, p{i) and c(i) are the /-th pixel of plain-image P and cipher-image C, 
respectively. Under the CPA assumption, where an adversary is able to obtain ciphertexts of arbitrary plaintexts adaptively, 
the relationship of the difference between two groups of chosen plain-image and cipher-image pairs, i.e., (P, C ) and (P, C), 
ca be derived as follows: 

(c(i) © c(i - 1)) © (c(i) © c(i - 1)) = ( p(i ) + k(i)) © (p(i) + k(i)), 
where i = 1 ~ L. More generally, we write it as 


y = (a 4- k) © (J3 + k). 


( 10 ) 


From the cryptanalysis point of view, these questions arise naturally: 

1. Given a large quantities of ( a,/3,y ), it is obvious that the exact key k used for encryption will satisfy all the resultant 
equations of the form (ITOt . But is this k unique or not? This relates to the question of the existence of equivalent key. 

2. How many queries of (a,f3) are sufficient to recover the exact secret key k or its equivalent forn{J’ This relates to the 
resistance of the cryptosystem in CPA scenario. 

In 10, Li et al. proved that 3 pairs of queries (a, /3) are sufficient to solve Eq. (ITOl) in terms of modulo 2 7 . Soon, they 
improved this result in terms of required number of queries to 2 in 0. 

Before we dive into the detail of the proof, we would like to cast the diffusion process of ICMPD as the form of Eq. ( ITOt . 
Combining Eq. {7} and ([SJ, we can get 

c(i) = [p'(i)s(i) + t(i)] © r(i) © c(i - 1). (11) 


Similarly, we calculate the difference of two groups of chosen plain-image and cipher-image as follows: 

(c(i) © c(i - 1)) © (c(i) © c(i - 1)) = (p'(i)s(i) + t(i)) © (p(i)s(i) + t(i)). 


Assuming E r and E c are known in advance by the adversary (or simply treat them as identity permutations), we can generalize 
the above equation as 

y = (as + t) © (J3s + t), (12) 

where ,y, t are two unknowns, y is known and o\fi are known and can be chosen freely by the adversary in CPA scenario. 
Now, the same questions arise for Eq. (IT2l) . We will answer them in the following sections. 


3.1. Previous work 

The following two propositions solve the two questions related to Eq. (flTTb . 

Proposition 1. Let k - k® 2 7 , then k is a solution ofEq. m ifk satisfies y — (a 4- k) © ((3 + k ). 

Proof. To prove this proposition, we first examine the relationship of k © 2 7 and k + 2 7 . If k > 2 7 , then it is easy to conclude 

k © 2 7 = k - 2 7 = k 4- 2 7 . Similarly, we have k © 2 7 = k + 2 7 - k + 2 7 when k < 2 7 . Therefore, 

y = (a + k) © (J3 + k) 

— (tr -j- k) © 2 7 © (J3 -j- k) © 2 7 
= (a; + k 4- 2 7 ) ®(J3 + k + 2 7 ) 

= [a + (k © 2 7 )] ffi [/? -j- (k ffi 2 7 )] 

= (ck -j- k) ® (J3 -}- k). 

Hence completes the proof. □ 


3 The adversary can choose {a,(3) freely and be aware of the value of y in CPA assumption. 
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Applying this proposition directly, we can easily conclude that all the image cryptosystems employing diffusion Eq. 0) 
are subjected to the problem of existence of equivalent key (stream). To be more precisely, this problem stems from the 
nature of the modulo operator, i.e., the carry bit generated by the highest bit plane is discarded after the modulo operation. 
In the following proposition, we answer the question of how many pairs of chosen plain-images and cipher-images, hence 
(afi) can be chosen freely and y is known, are sufficient to recover the key stream of Eq. (0 in terms of modulo 2 7 . 


Proposition 2. Two groups of (a, [3) are sufficient to solve Eq. m in terms of modulo 2 7 . Specifically, they are (0,170) and 
(170,85). 


Proof. The proof presented in [18 involves theoretically studying the carry bit of all bit planes of Eq. 019. details can 
be found in 1 1191 Sec. 3.3]. Here, we would rather follow a straightforward logic to verify this proposition, which is shown to 
be useful for our new model Eq. (fl2T >. 

Let = (0,170) and (a 2 ,/? 2 ) = (170,85), the proposition can be reformulated as 


(y l - (o'i + k) © (J3\ + k ), 

\y 2 = (<*2 + k) e (/?2 + k), 

where yi,y 2 £ [0,255] are two known integers. This problem converts to whether the solution to Eq. (fT3l> is unique in 
terms of modolu 2 7 given yi and y 2 . More precisely, there is a unique solution for certain known (yi,y 2 ) tuple and there are 
totally 2 7 out of all the possible (256 x 256) tuples of (yi,y 2 ) which leads to this unique solution. The following procedures 
demonstrate how this statement is verified. 

Step 1: Let y\ = 0, and find all the k e [0,127] that satisfy the equation yi = (cri + k) © (J3\ ®k) and denote them as K y ,. 

Step 2: Let y 2 = 0, and find all the k e K yi that satisfy the equation v 2 = (a 2 + k) © (/? 2 ® k) and denote the possible results 

as K V2 . 

Step 3: If #{K V2 ) equals 1 and y 2 < 256, then set y 2 = y 2 + 1 and go to Step 2. 

Step 4: Let y\ = y\ + 1 if y\ < 256 and set y 2 = 0, go to Step 1. 

Finally, we can easily obtain 128 out of 256 x 256 tuples of (yi,y 2 ) and their corresponding k from the above procedures and 
then construct a table composed of these 128 triples (yi,y 2 ,k). The solution of Eq. under queries (a\,fi\) and (ar 2 ,j8 2 ) 
can be determined by simple look-up-table, hence finishes the proof of the proposition. □ 

Proposition [2] deals with the problem of finding the solution of Eq. (flQl> . and thus determining the diffusion key stream 
of Eq. Q in the context of a CPA scenario. Instead of studying all the carry bits of Eq. ( ITOl) theoretically, the proof shown 
above heavily relies on exhaustively search over all the 256 x 256 combinations. This makes the proof seem informal but 
it possesses the following advantages: a) It is extremely fast since the number of the combinations is only 256 x 256; b) 
The by-product, i.e., the table composed of 128 triples (yi,y 2 ,£), allows one find the key stream for Eq. ([9]) by a trivial 
look-up-table operation; c) It can be easily extended to other diffusion operations when theoretically studying all the carry 
bits is difficult, if not impossible. 


3.2. Main results 

Based on the strategy presented above, we answer the questions about the solution of Eq. (IT2l) in the following. 

Proposition 3. Suppose y, s, a,/3 e [0,255], t e [0,128) and gcd(s, 256) = 1. Given a, /3 and y, the equation y — (as + t) ffi 
(J3s + t) has four equivalent solutions. Specifically, they are (s, t), (s, t + 128), (256 - s, 127 - t) and (256 - s, 255 - t ). 

Proof. Let f(s, t) = (as + t) ffi (J3s + f), the proposition is proved if the following three equations are true: 
d) f(s,t) = f(s,t + my, 

(ii) f(s, t) = f(256 - s, 127 - f); 

(hi) f(s, t) = /(256 - s, 255 - 1). 
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Referring to Proposition 1, we have 

f(s, t + 128) = [(as mod 256) + (t+ 128 mod 256)] 

© [()8s mod 256) + (t + 128 mod 256)] 

= [(as mod 256) + (f © 128)] 

© [(/Is mod 256) + (f © 128)] 

= (as +1 + 128) © (/3s + t + 128) 

= (as + t) © 128 © (/3s + t) © 128 
= f(s,t). 

To prove equation (ii), we first consider the following two cases: 

(a) If as -j -1 < 128, then we have 

[127 - (as -j- ;)] mod 256 = 127 - (as -j- t ) 

= (1111111) 2 - (as + 0 
= (11111 ll) 2 ffi (as + 0 
= 127 © (as + f), 

where (O 2 denotes the binary format of the operand. 

(b) If as + t > 128, then we have 

[127 - (as + 0] mod 256 = 127 + 256 - (as + t) 

= (101111111) 2 - (as 4- 0 
= (1111111) 2 © (as 4- f) 

= 127 © (as + f). 

Now, it is clear that 

/(256 - s, 127 -t) = [(a(256 - s) mod 256) + (127-;)] 

© [06(256 - s) mod 256) + (127 - ;)] 

= [127-(as 4-0] mod 256 
© [127 - (/3s 4- f)] mod 256 
= 127 © (as + f) © 127 © (f3s + t) 

= f(s,t). (14) 

Referring the result of equation (i) and (ii), we conclude 

/(256 - s, 255 - 1) = /(256 - s, 127 -1 + 128) 

= /(256 - s, 127 - t) 

= f(s,t). 

Finally, the proposition is proved. □ 

Apply this proposition directly, it is easy to conclude that the image cryptosystem under study, i.e., ICMPD, also suffers 
from the problem of existence of equivalent key (stream). Once again, we emphasize that this security defect is rooted from 
the use of modulo operation, where information of the highest carry bit is lost. 

Proposition 4. Suppose y, s, t, a,/3 e [0,255] and gcd(s, 256) = 1. Seven groups of (a, (3) are sufficient to solve the equation 

y = (as + ;) © (J3s + ;) 

in terms of modulo 2 7 . Specifically, they are (2°, 2 1 ), (2 1 ,2 2 ), (2 2 ,2 3 ), (2 3 ,2 4 ), (2 4 ,2 5 ), (2 5 ,2 6 ) and (2 6 ,2 7 ). 
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Proof. Theoretically studying all the carry bits becomes extremely difficult in this context as Eq. (IT2l > involves a multiplica¬ 
tion.' Let (auPi) = (2°, 2 1 ), (cr 2 ,/? 2 ) = (2\2 2 ), (a 3 ,/l 3 ) = (2 2 ,2 3 ), (a 4 ,p 4 ) = (2 3 ,2 4 ), (a 5 ,fc) = (2 4 ,2 5 ), (a 6 ,p 6 ) = (2 5 ,2 6 ) 
and = (2 6 ,2 7 ), the problem turns to whether the following system of equations has a single unique solution in terms 

of modulo 2 7 for certain known integers y\,yi, ■ ■ • ,yi e [0,255]: 


'y i ; 

= (OfiS 

+ 

t) 

© 

(fhs 

+ 

0, 

= 

= («2-V 

+ 

t ) 

© 

(fhs 

+ 

0, 

J3 = 

= (pt 3 s 

+ 

t) 

© 

(Jhs 

+ 

t). 

y 4 = 

- ( a 4 s 

+ 

t) 

© 

(J3 4 s 

+ 

t ), 

J5 = 

>3 

11 

+ 

t ) 

© 

(J3 5 s 

+ 

t). 

ye = 

= (O'6'S 

+ 

0 

© 

(fos 

+ 

t). 

J7 = 

= (07 

+ 

t ) 

© 

(P 75 

+ 

t). 


The intuitive method to verify this statement is to exhaustively search all the combinations of all 2 56 7-tuples (y |,y 2 , • • • ,y 7 ) 
using the similar procedures as described in proposition 2. This involved complexity is equal to searching the key space of 
DES algorithm, which is known as computational expensive. 

Observing that the unique solution (s, t) is determined by 64X 128 out of 2 56 7-tuples (yi, y 2 , • • • ,yf), we can alternatively 
search 64x128 possible combination of (s, t) and check whether the resultant 7-tuple (vi, y 2 , • • • ,y 7 ) is unique. The following 
procedure verifies this assumption. 

Step 1: Let s — 1, t = 0 and set Yi_ 7 = 0. 

Step 2: Calculate (yi,y 2 , •• • . y 7 ) according to Eg. (IT5l) under known s. t and 7 groups of (a. B). If the 7-tuple (yi,y 2 , •• • ,y 7 ) i 
Yi_ 7 , then add (yi,y 2 , • • • ,yf) to the set Yi_ 7 . Otherwise, the proposition is false. 

Step 3: Let t = t + lift < 128, go to Step 2. 

Step 4: Let s = s + 2ifs< 128 and set t - 0, go to Step 2. 

Linally, one can obtain a table composed of (64 x 128) 9-tuples, i.e., (yi,y 2 , • • • ,y 7 , s, t). Linding the solution of Eq. (IT2l) 
under seven queries of ( a, ft ) simplifies to look-up-table, just as we did in proposition 2. □ 

Corollary 1. The solution of the equation 


y = (as + t) © (J3s -j- /) 

in terms of modulo 2 7 can be determined by the following 8 groups of queries: (2°, 0), (2 1 ,0), (2 2 ,0), (2 3 ,0), (2 4 ,0) (2 5 ,0), 
(2 6 ,0) and (2 7 ,0). 

Proof It is easy to get the result with the observation that Eq. (fTYl i is included in the equations that are constructed from 
these 8 queries. Following the same procedures above, we construct a table of size (8192 x 1), each of whose entry is an 
unique 10-tuple (yi,y 2 , • ■ • ,y%, s, t). Once again, finding the solution becomes a look-up-table operation. □ 

4. Chosen-plaintext attack of ICMPD 

As we can observe from Sec. 12.11 the key streams E r , E c , S , T and R are produced independently from the encryption 
process. Moreover, the whole encryption is composed of a single round (modified) permutation and diffusion. These facts 
can be employed to facilitate a divide-and-conquer attack, where the whole system is cracked by employing that some 
bottom-line chosen plain-images are neutral with respect to the permutation stage. For convenience, let u(j) = e c (e r (j)) for 
j e [1,8L] and denote U = {u(j)}^ =] . We explain the detail of how to recover the key streams U,S,T and R under a CPA 
scenario in the following. 

4.1. Revealing the permutation and equivalent substitution key streams (U,S and T) 

Referring to step 1 of the encryption process (see Sec. 12.2b . the intermediate binary sequences can be obtained from the 
plain-image without any secret key, which allows us have the freedom to choose the binary sequences directly. 
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Let B - {b(j) = 0}^j be a binary sequence with constant value 0. Referring to Eqs. (|5}. ([6} and (fill , the resultant 
cipher-image C = {c(i)\ L =t will satisfy 


'c(i) © c(i - 1) = [p'U)s(i) + t(i)] © r(i), 

8 

p\i)=Y J b{um-V, + k))-2 k -\ 

it=i 


(16) 


where i e [1, L\, A: e [1,8] and b(u(8(i - 1) + k )) = b(u(j)) = 0. Now, it becomes clear that recovering u(j), and then U, is 
equal to the problem of identifying the relationship between j and (i, k ) for all j e [1,8L], 

Slightly modify a single bit of the chosen plain binary sequence B , for example, set the lowest bit of the first pixel to 1 and 
keep the remaining 8L - 1 bits unchanged. Denote the modified version of B as B \ = {/?i and obtain its corresponding 

cipher-image C\ = [ci(0}f =r Similar to Eq. ©, we conclude 

ci(i) © C\(i - 1) = [p\(i)s(i) -j- t(i)] © r(i), 

Pi(0 = J] bM(i - 1) + k)) ■ 2 k ~\ (17) 

k= 1 

where bi(u(8(i - 1) + k)) = b(u(j )) = 0 for j > 1 and b\(l) = 1. Combining Eqs. (IT6l) and (IT71) . it is concluded that 


(c(0 fficfz - 1)) © (ci(i) ffici(i - 1)) 

= [p'd)s(i) + t(i)] © [pi 0X0 + t(i)] 

( 0 if i < i\, 

= < (0 • s(i) + t(i)) ffi (2 kl ■ s(i) + t(i)) if i = i\, (18) 

( 0 if i > i\, 

where 0 = [u _I (1)/8J + 1, k\ = m _ 1 ( 1) mod 8 and u(u~ ] (i)) = i. 

Given the secret key (x 0 , y 0 , a, b , k', x' Q , k°, x° Q ,p, x* 0 ) = (0.346,0.478,1.644,2.986,4.434,0.6435,5.673,0.523,3.14,0.34), which 
is exactly the same as that used in [9[], we verify this statement by carrying out experiment to plain-image of size 128 x 128. 
For illustration purpose, the cipher-images C and C\ are altered using 

j v(i) = c(f) ffi c(i - 1) 

\vi(0 = XOfficiO- 1 ) 

and the results are denoted as V and Vj. Figs. |4(a)~] and |4(b)] depict the cipher-image sequences corresponding to V and V\, 
respectively. The difference between V and V\ is shown in Fig. |4(c)| Now, it is clear that the relationship between j = 1 and 
i = i\ can be readily identified. 

Repeat this experiment for all the remaining bit locations, i.e., j = 2 ~ 8 L, of B, then one can obtain the mapping between 
j e [1,8L] and i e [1, L] in the same way. 

To reveal the exact permutation key stream U, the left problem is to identify the relationship between j and k. To study 
this problem, we set i = i\ and review Eq. (IT8l ) 


yiO'i) = (c(fi)fficO'i - l))ffi(ci(fi)ffici(/i - 1)) 
= (0 • s(i i) 4- t(ii)) ffi (2 k< ■ s(i i) -j- fO'O). 


Noting that the relationship between j e [1,8 L\ and i e [1,L] is revealed, we can obtain the following system of equations 

yi(i\) = (0 • v(i'i) + f(fi)) ffi ( 2 kl ■ s{i\) 4- f(fi)), 

>’3(6) = (0 • s(ii) + f(fi)) ffi (2 k3 ■ s(ii) + t(i\)), 

y 4 (ii) = (0 • i(fi) 4- t(ii)) ffi (2 ki ■ s(h) 4- t(i\)), 

■ ysih) = (0 ■ s(h) + t(i i)) ffi (2 h ■ s(h) -i- f(t'i)), 

ye(ii) = (0 ■ s(h) + f(i'r)) ffi {2 h ■ s{h) -j- f(q)), 

yi(i l) = (0 ■ s(h) + t(i\ )) ffi ( 2 kl ■ s(h) -i- f(t'i)), 

y 8 (ii) = (0 ■ s(h) + t(i\)) ffi {2 h ■ s(h) + f(t'i)), 
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by setting the other 7 bits which will be permuted to the 1 ' 1 -th pixel location, i.e., i\ = Lm _1 (t)/BJ + 1, to 1. 

Referring to Corollary 1, s(i\) and it(ii), elements of the equivalent key streams of S and T, can be determined by these 
equations. Simultaneously, the mapping between j and k,„ (m e [1,8]) can be also identified by checking the bijection 
y n (i i) <-> k,„ (n e [1,8]). Repeating this test for all the L - 1 pixels, the relationship between j e [1,8 L\ and k e [1,8] can be 
totally revealed together with the equivalent form of S and T. What is more, we conclude that the data complexity involved 
is (8 L + 1) in terms of number of chosen plain-images, which is linear to the size of the plain-image. 


4.2. Revealing the equivalent diffusion key stream R 

After recovering the permutation key stream U and the equivalent substitution key streams S and T. ICMPD becomes a 
diffusion-only cipher that governed by Eq. ©. Rewrite Eq. (f]~6]> as 

r(i) = t(i) © r(i) © c(i) © c(i - 1), 


then one can calculate the key stream R using the chosen plain-image with fixed bit value 0 and its corresponding cipher- 
image. Finally, it is concluded that ICMPD can be broken at the cost of 8L + 1 chosen plain-images and their corresponding 
cipher-images. 

To verify our analysis, we set the secret key to (0.346,0.478,1.644,2.986,4.434,0.6435,5.673,0.523,3.14,0.34) and carry 
out some experiments to images of size 128 x 128. Based on the assumption that the encryption machine can be temporarily 
accessed, we encrypt an image with all the pixels identical to zero. Then, we consecutively modify the value of 128 x 128 x 8 
bits of this zero image and obtain the corresponding 128 x 128 x 8 cipher-images. The (equivalent) key streams U, S , T 
and R are deduced using the method described above. Then they are used to break the cipher-images shown in Fig. |3(c)| and 
Fig. |3(d) The recovered result is depicted in Fig. |5(a)| and Fig. |5(b)[ which coincides with the original plain-images shown 
in Fig. 3(a)| and Fig. |3(b)| 


5. Discussion and conclusion 

In this paper, we have evaluated a new image cryptosystem based on modified permutation-diffusion architecture 0 
in a chosen plaintext attack scenario. As we claimed, the reason for the successful implementation of our CPA scheme is 
twofold: a) the iteration round of the permutation-diffusion round is merely one; b) the key schedule is independent from 
the encryption process. In concern to these problems, a simple remedy is to increase the iteration round 1 1 , 0 ] based on a 
comprehensively quantitative study on the tradeoff between complexity and security. An alternative solution is to embed 
some feedback mechanism in the key schedule 0, such that the whole cryptosystem will operate in a supposedly one-time- 
pad manner. Thus the difficulty of the CPA analysis increases dramatically. 

The goal of this paper is not to simply present our CPA method on a given image cryptosystem, but build a new framework 
to quantitatively study the security level of classical modulo then XORing operation and then apply this result to a new 
diffusion kernel. In this regard, the work shown in this paper would benefit the measure of security of image cryptosystem 
based on permutation-diffusion architecture, and thus the designing of practical schemes. 
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Figure 1: Block diagram of the permutation-diffusion structure proposed by Fridrich. 
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Figure 2: Schematic diagram of the modified permutation-diffusion structure of ICMPD. 











Figure 3: Two plain-images and their corresponding cipher-iamges: (a) plain-image “Lena” of size 128 x 128; (b) plain-image “Peppers” of size 128 x 128; 
(c) cipher-image corresponding to “Lena”; (d) cipher-image corresponding to “Peppers”. 
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(a) (b) (c) 


Figure 4: Two cipher-image sequences and the difference between them: (a) cipher-image sequence V corresponding to B ; (b) cipher-image sequence V\ 
corresponding to B\ \ (c) XOR between V and V\ (for perceptual purpose, we artificially set the value of the pixels around the non-zero one to 128). 
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(a) (b) 


Figure 5: Application example of our chosen plaintext attack: (a) Recovered result from image shown in Fig. |3(c)| using the obtained equivalent key streams; 
(b) Recovered result from image shown in Fig. |3(d)| using the obtained equivalent key streams. 
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